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IN THE UNITED STATES 
RECEIVING OFFICE (RO/US) 

PATENT APPLICATION 

Applicants: MULLER, Frank; ROELOFSEN, Gerrit 
Case: PTT-128 (402571US) 

International Application No.: PCT/EPOO/04627 
International Filing Date: 19 May 2000 
Priority Date Claimed: 13 July 1999 
Title: A METHOD FOR PROTECTING A PORTABLE CARD 

COMMISSIONER FOR PATENTS 
BOX POT 

Washington, D. C. 20231 
SIR: 

PRELIMINARY AMENDMENT 

Please amend the above-identified patent 
application which is simultaneously filed herewith, as 
follows : 

IN THE CLAIMS - 

Delete claims 1-7 and substitute therefore the following 
claims : 

— 8. A method for protecting a portable card provided with 
at least a cryptographic algorithm for enciphering data 
and/or authenticating the card against deriving the secret 
key used from statistical analysis of its information 
leaking away to the outside world in the event of 
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6 cryptographic operations, such as power-consumption data, 

7 electromagnetic radiation and the like, the card being 
provided with at least a shift register having a linear and 

9 a non-linear feedback function for creating cryptographic 



8 



10 



algorithms, the method comprising loading data to be 

11 processed and a secret key in the shift register of the 

12 card, characterised in that an algorithm, comprising an 
,13 appropriately chosen succession of applications of linear 

14 and non-linear feedback functions, is applied to the card in 

15 such a manner that the collection of values of recorded 

16 leak-information signals is resistant to deriving the secret 

17 key by way of statistical analysis of said values. 

gl 9- The method according to claim 8, characterized in that, 

=;-2 after the key has been loaded into the shift register, the 

s|3 shift register, during a specific period, clocks on several 

|,;;4 times, at least using the linear-feedback function, and that 

^ 5 subsequently the data is loaded using only the 

:^:6 linear-feedback function and the shift register subsequently 

||7 clocks on. 

si' 

.a 10. The method according to claim 9, characterized in that 

2 during the first instance of clocking on the shift register 

3 is clocked on for so long that the content of all elements 

4 of the shift register largely depend on the bits of the key. 

1 11. The method according to claim 8, characterized in that, 

2 after the key has been loaded into the shift register, the 

3 shift register, during a specific period, clocks on several 

4 times, and in that clocking on the shift register takes 

5 place with an active linear and an active non-linear 

6 feedback function of the shift register, no data being 
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loaded into the shift register, however, during, or prior 
to, the clocking-on period or prior to loading the key. 



12. The method according to claim 8, characterized in that 
the input of data into the shift register after loading the 
key into the shift register is disconnected from the shift 
register and is reinstated after the aforementioned specific 
period. 

13. The method according to claim 8, characterized in that 
the key is only loaded into the shift register in the event 
of a fixed content. of the shift register. 

14. The method according to claim 8, characterized in that, 
if the key is not loaded with a fixed content of the shift 
register, the key is loaded into the shift register using 
only the linear feedback function, whereafter clocking on 
takes place. — . 



claims in the application to that amended in the 
International Preliminary Examination Report, to delete 
multiple dependent claims and correct minor typographical 
errors . 



REMARKS 



The foregoing amendment is made to conform the 
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The invention relates to a method for protecting a portable 
card, provided with at least a crypto algorithm for enciphering data 
5 and/or authenticating the card, against deriving the secret key used 

from statistical analysis of its information leaking away to the 
outside world in the event of cryptographic operations, such as power 
consumption data, electromagnetic radiation and the like, the card 
being provided with at least a shift register having a linear and a 
10 non-linear feedback function for creating cryptographic algorithms, 

the method comprising loading data to be processed cuid a secret key 
in the shift register of the card. 

Using a secret key to process input information and/or to 
produce output information is generally known in the event of 
;|-il5 cryptographic devices- Using feedback shift registers is also 

i'3 generally known for creating cryptographic algorithms • 

1;^: In this connection, data to be consecutively processed and a 

Jli secret key are loaded into one or more shift registers. Here, the 

sequence of loading data and the key is random. 
V20 Subsequently, the output of the shift register and possibly the 

the shift- register contents are applied, using linear and/ or non- 
linear -feedback, to determine the output of the entire algorithm. 
{ The input of the shift register then, apart from the data and the 

key, also consists of a linear and a non- linear combination of the 
-25 shift-register contents. 

Such shift registers are generally applied in the event of 
portable cards, such as chip cards, calling cards, smart-card 
products and the like* 

Since the secret key is not known to unauthorised third parties, 
30 it is basically impossible to derive either the input or the key from 

the output of the algorithm. 

Now it has become apparent, however, that for chip cards and the 
like it is possible, in the event of computations, to derive the 
secret key oised from a statistical analysis of the power consumption 
35 of the card. Such methods are known as "Differential Power Analysis" 

(s: DPA) and are described in the Internet publication DPA Technical 
Information: "Introduction to Differential Power Analysis and Related 
Attacks" by P. Kocher et al.. Cryptography Research, San Francisco, 
1998. 

40 
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Said methods are based on the fact that, in practice, with 
cryptographic operations, inf oiimation is leaking away to the outside 
world in the form of power- consumption data, electromagnetic 
radiation and the like. 

Thus, logical microprocessor units show regular transistor- 
switching patterns which externally (i.e., outside the 
microprocessor) noticeably produce electrical behaviour. 

In this manner, it is possible to identify macro 
characteristics, such as microprocessor activity, by recording the 
power consumption and deriving information on the secret key used by 
way of statistical analysis of the data thus obtained. 

The invention now overcomes said drawback and provides a 
portable card which is resistant to such analyses and therefore 
provides a card which is safe to use. 

The method according to the invention is characterised in that 
an algorithm is applied to the card which is constructed in such a 
manner that the collection of values of recorded leak- information 
signals is resistant to deriving the secret key by way of statistical 
analysis of said values. Advantageously, after loading the key into 
the shift register, the shift register is siibsequently clocked on, 
during a specific period of time, several times, at least making use 
of the linear feedback function. 

A suitable alternative according to the invention is loading 
only the key into the shift register in the event of a fixed content 
of the shift register. 

In a first advantageous embodiment of the invention, there is 
first loaded the key, subsequently clocking on is performed, after 
which the data is loaded. 

Xn another advantageous embodiment of the invention, the key is first 
loaded, subsequently the data is loaded into the shift register, 
making exclusive use of the linear feedback function and subsequently 
the clocking on is performed. 

In yet another advantageous embodiment of the invention, the 
data is first loaded, subsequently the key is loaded, making 
exclusive use of the linear feedback function, whereafter clocking on 
is performed. 

The invention will now be further explained with reference to 
the drawing and the description by way of non- limiting example. 

FIG. 1 schematically shows a typical shift register as applied 
with a portable card, such as a chip card and the like. 
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FIG. 2 schematically shows an advantageous solution according to 
the invention, ajad 

FIG, 3 schematically shows another advantageous solution 
according to the invention. 

Referring now to FIG. 1, there is shown a feedback shift 
register 1, which is applied in any way suitable for that purpose to 
a portable card, not shown for simplicity's sake, such as a chip 
card, calling card and the like, having an input 2 and an output 3. 

The feedback shift register 1 comprises a shift register la, as 
well as a feedback fimction, which in this case consists of a linear 
function lb and a non- linear function Ic having an output 3a. Such a 
feedback shift register, due to its relatively low costs, is eligible 
for being applied to, e.g., calling cards and the like. The non- 
linear function may see to it that each bit depends on each niomber of 
key bits. 

Shift registers are generally known and their operation will 
therefore not be described in detail. The shift register la consists 
of a series of bits. The length of a shift register is esqpressed in 
bits; in the event of a length of n bits, it is called axi n-bit shift 
register , 

Each time a bit is required, all bits in the shift register are 
shifted 1 bit to the right. The new left bit is calculated as a 
function of the bits remaining in the register and the input. 

The output of the shift register is 1 bit, often the least 
significant bit. The period of a shift register is the length of the 
output series before repetition starts • 

Data is loaded by way of the input 2; the key is loaded, and 
results are produced by way of the output 3 or, if so desired, 3a. 
In a similar situation, however, there may be carried out an attack 
on the secret key used by way of DPA, based on power variations of 
the system in the event of computations via statistical analysis of 
"leak data" and error -correcting techniques. 

In this connection, it should be noted tliat, from a security 
viewpoint, it is desirable to load the key and the data non- linearly 
into the shift register. It has become apparent, however, that in 
the event of calculations, non- linearly loading the key and the data 
into the shift register increases the chance of deriving the secret 
key used through statistical analysis of the power consumption. 

In FIG. 2 and FIG. 3, the same reference numerals as used in 
FIG. 1 refer to the same components. 



wo 01/05090 



4 



PCT/EPOO/04627 



FIG. 2 now shows an advantageous embodiment of the invention, 
the key first being loaded into the shift register, subsecjuently data 
being loaded, at least initially, exclusively using the linear- 
feedback function, and then the clocking on (e.g., 100 times or over) 
of the shift register taking place. During loading the data and, if 
so desired, the subsequent clocking on, the non- linear function of 
the shift register is deactivated until the shift register has been 
sufficiently clocked on. Then, the non-linear function is switched 
on once again. 

In doing so, the linear- feedback function lb continues to be 
active • 

Deactivating and activating, as the case may be, the non- linear 
function Ic may take place in any way suitable for that purpose, 
e.g., using switches. 

The shift register la is advantageously clocked on so many times 
that the content of all elements of the shift register depends on a 
large portion of the bits of the key. 

In another advantageous embodiment, after loading the key there 
is first clocked on until the content of all elements of the shift 
register depends on a large portion of the bits of the key. Only 
after said clocking on, the data in the shift register la is 
permitted to be loaded and non- linear operations on the content of 
the shift register are also permitted to be effected. 

Clocking on takes place in any way known to those skilled in the 
art and will therefore not be explained in further detail- 

For completeness' sake, it should be noted that DPA is only 
capable of being carried out if there takes place a non- linear 
operation of the data with the key. Since, in addition, the effort 
required for DPA rises exponentially with the number of key bits on 
which the bits in the shift register depend, it is achieved in this 
manner that, in the event of sufficient interim clocking on of the 
shift register la, applying DPA does not result in short-term 
success . 

In PIG. 3, there is shown an advantageous variant of the 
invention, the key having been loaded with a fixed content of the 
shift register (which may also consist purely of zeros) and clocking 
on the shift register taking place with an active linear and an 
active non-linear feedback fxmction, but without data being loaded 
into the shift register during the clocking-on period. In doing so, 
the input of data into the shift register after loading the key is 
disconnected from the shift register and is reinstated again after a 
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specific clocking-on period. Due to the fixed content of the shift 
register, it is not permitted to apply any modifications and an 
xmauthorised third party shall not be capable of determining a 
collection of different values of leak data, such as power 
consumption, and subject it to statistical analysis in order to 
retrieve the key. 

In this solution according to the invention, the key may 
therefore be loaded non-linearly, and deactivating the non-linear 
feedback function will not be required. 

In another advantageous embodiment of the invention, in the 
event that the key, after data has been loaded into the shift 
register, is not loaded with the fixed content of the shift register, 
the key is loaded into the shift register using only the linear- 
feedback function, whereafter subsequent clocking on is permitted to 
take place. 

After the aforementioned description, various modifications of 
the method according to the invention will become apparent to those 
skilled in the art. 

Such modifications shall be deemed to fall within the scope of 
the invention. 
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AMENDED SET OF CLAIMS \ 

1 • A method for protecting a portable card provided wi'th at 

least a cryptographic algorithm for enciphering data and/or 
authenticating the card against deriving the secret key used from . 
statistical analysis of its information leaking away to the outside 
world in the event of cryptographic operations, such as .power- 
.consumption data, electromagnetic radiation and the liJce, the card 
being provided with at. least a shift register having a linear and- a 
non-linear feedback function for creating cryptographic algorithms ^ 
the method comprising loading data to be processed and a secret key 
in the shift register of the card,: characterised in that an 
algorithm/ comprising an appropriately chosen succession of 
applications of linear and non-linear feedback functions/ is applied 
■ to the card in such a manner that the collection of values of 
recorded leak-information, signals is .resistant to deriving the 
secret key by way of statistical anal^ysis of said values. 

2* The method according to claim 1, characterised in that, 

after the key has been loaded into : the shift register , the shift 
register/ during a specific period, clocks on several times, at 
least using the linear-feedback function, and that subsequently the 
data is loaded using only the linear-feedback function and the shift 
regisrer subsequently clocks on- : ; 

3* The method according to claim 2, characterised in that 

during the first instance of clocking on the shift register is 
clocked oh for so long that the content of all elements of the shift 
register largely depend on the Bitd of the key- 

'4- The method according to claim 1, characterised in that, 

after the key has been loaded into -the shift register,^ the shift 

• register, during a specific period, clocks on several times, and in 
that clocking on the shift register takes place with an active 
linear and an active non-linear feedback function of the shift 
register, no data being, loaded into the shift register, however, 
during, or prior to, the clocking-bn period or prior to loading the 

* key. ; 

5, The method according to any of the preceding claims, 

: characterised in that the input' of data into the shift register 
after loading the key into the shift register is disconnected from 
the shift register and is reinstated after the aforementioned 
specific period. 

6., The method according to any of the preceding claims, 

characterised in that the key is' only loaded into the shift register 
in the event . of a fixed content of .the shift register. 

7-. The method according to any of the -preceding claims., 

characterised in that, if the key is riot loaded with a fixed content 
of the shift register., the key is -loaded into the shift register 
using only the linear feedback fuiictiojn, whereafter clocki.ng on 
takes place-. 
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the United States Patent and Trademark Office in connection therewith. 

Direct all correspondence to Customer Number 007265 at the following address: 

MICHAELSON & WALLACE^ 

Farkwav 109 QfTlce Cente r 
~^ 328 Newman Springs Road 

□ P.O. Box ft^ftQ 



Red Bank, New Jersey 07701. 
Direct all telephone calls to: (732) 5 30-6671. 



I hereby declare that all statements made herein of my own knowledge are true 
and that all statements made on information and belief are believed to be 
true; and further that these statements were made with the knowledge that 
willful false statements and the like so made are punishable by fine or 
imprisonment, or both, under Section 1001 of Title 18 of the United States 
Code and that such willful false statements may jeopardize the validity of the 
application or any patent issued thereon. 
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First inventor : 



'.-yQ-^F^ll name: 



Residence address: 



Post Office address: 



Citizenship: The Ne 



.MULLER 
last 



Frank 



first 



middle 



Hopstraat 59 
Street 

2611 TB, DELFT (HLX The Netherlands 
city, state, zip code country 

P.O.Box 95321 

post office & box number 

2509 CH The Hague The Netherlands 



Signature : 

Date: \^ - \ 




city, state, zip code 
rlands ^ 



2001 



country 
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